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Field Of The Invention 



2 The invention relates generally to the field of digital data processing systems, and more 

3 particularly to arrangements for facilitating regulation of resource usage in distributed computing 

4 environments. The invention particularly provides an inexpensive certificate-based authentication 

5 arrangement for a distributed computing environment in which authentication certificates provided 
5 with requests to access resources provided by servers in the distributed computing environment 

7 include resource utilization permission information obtained from privilege certificates provided by 

8 the respective servers or by privilege certificate issuing authorities on behalf of the respective servers 

^1 BACKGROUPflD Of The Invention 

iii 

Vi 

l§ In a distributed computing environment, a number of computer systems are interconnected 

i i by networks. In a distributed computing environment that is organized according to the conventional 

! 2 "client-server" paradigm, computers, as client computers, can make use of computing resources, such 

f 'J 

13 as applications, information files and so forth, which are provided by other computers and other 

II components which can p,«vide resources and ofter s«v>ces as server. In such an enviromnen, 

|;| computers may be exclusively client computers or exclusively server computers. Altematively or 

: z 

16 in addition, computers may operate as both client computers and server computers, operating as a 

17 client computer when it requests access to a resource provided by another computer, and as a server 

1 8 computer in response to resource access requests from another computer. 

19 A significant problem arising in connection with a distributed computing environment is how 

20 to regulate access to resources provided therein. Typically, security administrators make use of 

2 1 access control lists (so-called " ACL*s") or similar devices to control access to resources provided by 

22 their respective systems. In an access control list-based system, the access control list identifies the 

23 particular resources that are available for use by an operator, on an operator-by-operator basis. In 
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1 addition, the access control list can also identify limitations, if any, which have been placed on each 

2 particular operator's use of the resources which he or she has been authorized to use. When an 

3 operator, operating a client computer, wishes to make use of a resource that is provided by a system, 

4 the client computer will provide an identification for the operator and the particular resource or 

5 resources on the system that are to be accessed. If the system's access control list indicates that the 

6 operator has the appropriate "permissions," that is, if the access control list indicates that he or she 

7 is authorized to make use of the requested resource(s) for the purposes requested, the system will 

8 allow the resource(s) to be used in connection with the request. On the other hand, if the access 
'9 control list indicates that the operator is not authorized to make use of the requested resource(s) for 
1 0 the purposes requested, the system will not allow the resource(s) to be used in connection with the 

request. 

lil Several problems arise in connection with use access control lists and other mechanisms for 

13 regulating access to resources. One problem is to verify that an operator, who is requesting access 

fij 

Ji4 to use a resource is, in fact, who he or she says he or she is, thereby to "authenticate" the operator's 

15 identity. The severity of this problem, and measures taken to address it, may vary depending on the 

51 particular resource that is to be accessed. For example, if an operator is requesting access to 

|j information that is publicly available on the server, such as World Wide Web pages that a server is 

ILS making publicly available over the Internet, verification of the identification of the operator 

W requesting access to the Web page may not be a problem. However, if an operator is requesting 

20 access to information from a server that is confidential to the particular enterprise maintaining the 

21 server, the system would need to verify not only that the operator has permission to access the 

22 information, but also that the operator is who he or she says he or she is. 

23 One way this problem has been addressed is through use of passwords. In a password-based 

24 authentication system, the operator provides not only his name or other identifier, which may be 

25 publicly known, but also a password, which would be known only to the operator and the system 

26 whose resource(s) is/are to be used. If the password provided to the system along with an access 
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1 request match the password known to the system for the operator identified by the identifier also 

2 provided with the access request, then the system would assimie that the operator's identity has been 

3 authenticated and, if the access control list indicates that the operator can use the requested resource, 

4 allow access to the requested resource. On the other hand, if the password does not match the 

5 password known to the system for the operator identified by the identifier, the system will assume 

6 that the operator's identity has not been authenticated, and may refuse to allow access to the 

7 requested resource. 

8 Several problems arise with the use of passwords to authenticate operators. First, in order 

9 for passwords to be useful, they need to be secure. However, if an operator does not treat his or her 
10 password as secure, that is, if he or she allows others access to his or her password, the security of 

£. \-Si, 

• 3 . 

I^J the password will be compromised. Accordingly, a number of systems require operators to change 

1| their passwords frequently. This can create a problem particularly if an operator wishes to access 

13 resources on a number of systems, since the operator will need to keep his or her password up-to- 

|:4 date on each of the systems. 

15 To avoid the problem of having to update passwords, authentication arrangements have been 

r J 

developed that issue authentication "certificates" for operators who may wish to access resources in 

J ? a distributed arrangement. A certificate provides identifying indicia which a system can use to 

|;B authenticate the identification of an operator requesting access to a resoiu-ce provided by the system. 

1 9 The certificate is issued by a certification authority. A certification authority may be affiliated with 

20 systems that provide resources that may be accessed, or they may be third-party entities that vouch 

21 for the identity of the operators to whom they issue certificates. In a certificate-based system, the 

22 system would rely on the authentication provided by the certification authority and the operator need 

23 not be previously-identified to the system, which would be necessary in, for example, a password- 

24 based system. This would alleviate the problems noted above in connection with password-based 

25 systems, since the operator need not update password information periodically on all of the systems 

26 whose resources may be accessed. 
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1 Generally, a certificate includes identification information for the entity that is identified by 

2 the certificate, that is, the person or organization that the certificate is supposed to identify, 

3 identification information for the certification authority, an algorithm identifier and public key for 

4 the certification authority and an encrypted digital signature. The certification authority uses a hash 

5 algorithm, identified by the algorithm identifier, to generate a message digest from the contents of 

6 the certificate, and uses its private key of its public key/private key pair to encrypt the message 

7 digest, resulting in a digital signature. When the certificate is to be verified, which may occur, for 

8 example, when it is to be used to verify that an operator is authorized to use a resource provided by 

9 a system, the system uses the same hash algorithm to generate a mesage digest, resulting in a digital 
10 signature. In addition, the system uses the certification authority's public key to decrypt the digital 
1:1 signature. If the message digest value generated corresponds to the decrypted digital signature, it 
1 2 can determine that the certificate is authentic. In that case, it can determine that the operator is the 

I ;§ entity identified in the certificate. In addition, the system can determine that the key in the certificate 

i'4 

114 is that entity's public key, which can be used to encrypt information to be sent to the entity. 

Cii 

15 Since the certification authority uses its private key in generating the signature that is 

|;6 included in the certificate, it is important that the private key remain secure. If the private key is 

1(1 revealed to an unauthorized entity, the unauthorized entity may be able to issue counterfeit 
certificates that a system may recognize as authentic. A number of strategies are used by a 

W certification authority to maintain security. A certification authority includes a computer that stores 

20 the private key and is programmed to generate a certificate on a medium that is readable by a 

2 1 computer or other digital device. The computer is typically maintained in both a physically isolated 

22 and electronically isolated condition. That is, the computer is physically isolated, typically in a 

23 securely locked room, so that it may be physically accessed only by an administrator who is trusted 

24 and authorized to generate certificates. And it is electronically isolated from networks or other 

25 communication media that may be used by the organization that maintains the certification authority 

26 so as to prevent introduction of incorrect software or imauthorized access to information stored on 

27 the computer, including the private key. When a certificate is to be generated, the trusted 
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1 administrator enters the room to access the computer, inputs information for the entity for whom the 

2 certificate is to be generated, and obtains the certificate, in machine-readable form, fi-om the 

3 computer. Thus, a computer needs to be set aside essentially solely for use as a certification 

4 authority. 

5 Generally, an entity that wishes to have a certificate issued will transmit a certificate issuance 

6 request to a trusted administrator by any of a number of methodologies, including, for example, 

7 Email, requests transferred over the World Wide Web, physical appearance before the trusted 

8 administrator, and the like. If the administrator approves a request, he or she saves identification 

9 information for the entity for which the certificate is to be generated on a machine-readable medium 
10 using the computer that he or she normally uses for his or her work. When the certificate is to be 
y generated, the administrator takes the machine-readable mediimi fi:-om that computer to the computer 

it, s 

s IS' 

that is used as the certification authority for use in generating the certificate or certificates that are 

|i| to be generated during a certificate generation session. During the certificate generation session, the 

J;| certification authority can read the identification information for the entities for which the certificates 

15 are to be generated, display the information to the administrator to permit him or her to make last- 

l§ minute changes and verification of information as necessary, and generate the certificates. Typically, 

tn 

1 7 certificates are generated in a batch fashion, with the administrator engaging in certificate generation 

|:| sessions periodically. 

C J 

19 Setting aside a computer, separate and apart fi:'om the other computers maintained by an 

20 organization, as a certification authority, in a looked room to maintain the security for the computer, 

2 1 can be relatively expensive. In addition, batch generation of certificates during certificate generation 

22 sessions is relatively inconvenient, and can result in delay in issuance of a certificate. 

23 Summary Of The Invention 
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1 The invention provides a new and improved system and method for providing a relatively 

2 inexpensive and more convenient certification authority. 

3 In brief summary, the invention provides a certification authority for generating certificates 

4 in response to respective certification requests. The certification authority generally includes a 

5 computer that is bootable fi-om a removable medium and a removable medium. The removable 

6 medium includes a machine readable medium having encoded thereon an operating system module 

7 configured to enable the computer to boot fi-om the removable medium and a certificate generation 

8 module configured to, after the computer has been booted, control the computer to facilitate the 

9 generation of at least one certificate in response to an associated certificate request, the certification 
1;© authority module being configured to provide that the computer not be remotely controlled during 
l|i a certificate generation session. 

r '"■^ 

t'Q 

M Bmef Description Of The Drawings 

tn 

ftf This invention is pointed out with particularity in the appended claims. The above and 
further advantages of this invention may be better understood by referring to the foUov^ing 

ft^ description taken in conjxmction with the accompanying drawings, in which: 

u 

'16 FIG. 1 depicts a digital computer system for use in connection with a certification authority, 

17 in connection with the invention; 

1 8 FIG. 2 is a flow chart depicting operations performed in connection with the digital computer 

19 system during a certificate generation session.. 

20 Detailed Description of an Illustrative Embodiment 
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1 FIG. 1 depicts an illustrative computer system 10 for use in a certification authority, 

2 constructed in accordance with the invention. With reference to FIG. 1 , the computer system 1 0 in 

3 one embodiment includes a processor module 11 and operator interface elements comprising 

4 operator input components such as a keyboard 12A and/or a mouse 12B (generally identified as 

5 operator input element(s) 12) and operator output components such as a video display device 13. 

6 The illustrative computer system 10 is of the conventional stored-program computer architecture. 

7 The processor module 1 1 includes, for example, processor, memory and mass storage devices 

8 such as disk and/or tape storage elements (not separately shown) which perform processing and 
f f storage operations in connection with digital data provided thereto. The mass storage subsystems 
JtiO may include such devices as disk or tape subsystems, optical disk storage devices and CD-ROM 

I i devices in which information may be stored and/or from which information may be retrieved. One 

[3 

112 or more of the mass storage subsystems may utilize removable storage media that may be removed 

l| and installed by an operator, which may allow the operator to load programs and data into the digital 

14 computer system 10 and obtain processed data therefrom. Under control of control information 

|i| provided thereto by the processor, information stored in the mass storage subsystems may be 

§:§ transferred to the memory for storage. After the information is stored m the memory, the processor 

if may retrieve it from the memory for processing. After the processed data is generated, the processor 

18 may also enable the mass storage subsystems to retrieve the processed data from the memory for 

19 relatively long-term storage. 

20 The operator input element(s) 1 2 are provided to permit an operator to input information for 

21 processing and/or control of the digital computer system 10. The video display device 13 is 

22 provided to, respectively, display visual output information on a screen 14, which is generated by 

23 the processor module 11, which may include data that the operator may input for processing, 

24 information that the operator may input to control processing, as well as information generated 

25 during processing. The processor module 1 1 generates information for display by the video display 
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1 device 13 using a so-called "graphical user interface" ("GUI"), in which information for various 

2 applications programs is displayed using various "windows." Although the computer system 1 0 is 

3 shown as comprising particular components, such as the keyboard 1 2 A and mouse 1 2B for receiving 

4 input information from an operator, and a video display device 1 3 for displaying output information 

5 to the operator, it will be appreciated that the computer system 10 may include a variety of 

6 components in addition to or instead of those depicted in FIG. 1 . 

7 In addition, the processor module 1 1 may include one or more network or communication 

8 ports, generally identified by reference numeral 15, which can be connected to commiuiication links 

9 to connect the computer system 1 0 in a computer network, or to other computer systems (not shown) 
1 0 over, for example, the public telephony system. The ports enable the computer system 1 0 to transmit 
1=1 information to, and receive information from, other computer systems and other devices in the 
\i network. 

113 The invention provides a certification authority including the computer 10 and at least one 

W removable machine-readable medium (not separately shown), such as a floppy disk, smart card or 

15 the like, which may be inserted into an appropriate device on the computer 10. The removable 

medium has encoded thereon several programs and modules that, when used by a trusted 

If administrator with the computer 10 during a certificate generation session, serve to configure the 

computer 1 0 as a certification authority. The removable medium includes various operating system 

19 modules and certification authority modules. The operating system modules configure the 

20 removable medium as a bootable medium, so that, after the removable medium has been inserted 

21 into the computer's reading device and the computer 10 powered up or reset, the computer 10 will 

22 boot from the floppy disk. The computer's boot loader (not separately shown) is configured to 

23 initially completely replace any operating software that the computer may have resident thereon with 

24 the operating system from the removable medium. From the operating system, the trusted 

25 administrator who is using the computer 10 as the certification authority during the certificate 
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1 generation session can make use of the certification authority modules, which will be described 

2 below, to generate the certificates. 

3 Essentially, the invention provides that, since the removable medium can be used in 

4 connection with any computer for which the boot loader operates as described above, any such 

5 computer can be used as the certification authority, thus eliminating the necessity of providing a 

6 separate computer just to be used as a certification authority. In addition, if a trusted administrator 

7 maintains possession of the removable medium in a secure maimer, such as in a safe, a locked 

8 drawer, or the like, the certification authority will be secure against access or tampering by a third 

9 party. Thus, the invention provides that no separate secure room need be provided to house the 
10 certification authority. Further, since the computer 10 used during the certification authority may 
\i constitute the computer that the administrator normally uses in his or her other work, certificate 

12 generation sessions are more convenient and the administrator may engage in such sessions more 

a 

13 often than otherwise. 

FlJ 

\A As noted above, in addition to the operating system modules as described above, the 

^5 removable medium has stored thereon certification authority modules that serve to configure the 

M computer 10 to a certification authority. In one embodiment, the certification authority modules 
comprise the following program modules: 

f 

tS (i) an authentication module; 

1 9 (ii) a communication control module; 

20 (iii) a certification request verification module; 

21 (iv) a certification request display module; 

22 (v) a certification request edit module; 

23 (vi) a certification request approval module; 
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1 (vii) a digital signature module; and 

2 (viii) an encrypted private key and a decryption module. 

3 The authentication module controls the computer 10, preferably at the beginning of the certificate 

4 generation session, to require the administrator to authenticate him or herself to the certification 

5 authority. This may be accomplished by, for example, requiring the administrator to provide his or 

6 her identification, such as his or her name, and a password. After the administrator has authenticated 

7 him or herself, he or she can make use of facilities provided by the other modules to generate 

8 certificates during the certificate generation session. 

9 The communication control module is provided to provide the computer 10 with at most 
\i) limited communication capabilities. In one embodiment, the communication control module enables 

M the computer 10 to, through the network connection 15, receive only certification requests and 

Q 

ill transmit signed certificates and messages indicating that a certification request has not been 

f\i 

J;| approved. The communication control module controls the computer to ignore or block any other 

44 type of attempt at communications with the computer. Specifically, the communication control 

II module does not support services such as telnet, rlogin (remote login) or ftp (file transfer protocol) 

r :^ 

L ; !; 

16 which might allow the computer 10 or any of its resources (such as memory or disks) to be 

If controlled or accessed remotely over a network to which the computer 10 may be connected during 
the certificate generation session. This will ensure that, during the certificate generation session, 

19 particularly the certification authority's private key could not be accessed from a remote location 

20 over the network. 

2 1 The certification request verification module is provided to enable the computer 1 0 to receive 

22 information received by the communication control module from the network, and checks the 

23 information to verify that the information is a certification request. Each certification request has 

24 a predetermined format, and the certification request verification module verifies that each, for each 

25 unit of information that is of sufficient size to be a certification request, the format of the information 
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1 conforms to that for a certification request. In addition, the certification request format defines a 

2 plurality of fields, each having a certain type of data and allowed characters, and the certification 

3 request verification module verifies that information fields of each certification request contain the 

4 appropriate types of data and that they do not contain any characters that are not allowed for the 

5 respective fields.. 

6 The certification request display module is provided to enable the computer 10 to display 

7 certification requests that have been received by the commxmication control module fi-om the 

8 network and verified by the certification request verification module on its screen 1 4 of video display 

9 device 13. The certification request display module also enables the computer 10 to, for example, 

10 list the certification requests to, in turn, allow the administrator to select one of the certification 

11 requests for display. 

11 The certification request edit module is provided to enable the computer 1 0 to, in tum, allow 

113 the administrator to make changes to the information comprising the certification request before the 

14 certificate is generated. Changes may be for the purpose of, for example, correcting spelling errors, 

13 entering dates for which the generated certificate will be valid, and the like. The administrator may 

& enter the changes through any of the operator input devices 12, including keyboard 12A and mouse 

I f 12B, As the administrator enters the changes, the certification request display module enables the 

i;| computer 10 to display the changes on the screen 14 of video display device 13. 

1 9 The certification request approval module is provided to enable the computer 1 0 to allow the 

20 administrator to approve or not approve a certification request. The administrator can indicate 

21 whether the certification request is to be approved by means of input provided through any of the 

22 operator input devices 12. For example, the certification request display module may enable the 

23 computer 10 to display "approved" and "not approved" pushbuttons on the screen 14 along with the 

24 certification request information, and, after the administrator has completed entering changes to the 

25 certification information, he or she may actuate one of the pushbuttons to, respectively, approve or 

26 not approve the certification request. If the administrator does not approve a certification request. 
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1 the certification request approval module enables the computer 10 to generate a message so 

2 indicating for transmission by the communication control module to the entity that issued the 

3 request. On the other hand, if the administrator does approve a certification request, the certification 

4 request approval module enables the computer 10 to generate the certificate, making use of the 

5 digital signature module. The certificate includes information fi-om the certification request, 

6 information regarding the certification authority, such as the identification of the certification 

7 authority, an identifier identifying the algorithm used by the digital signature module to generate the 

8 digital signature, and the certification authority's public key. 

9 The digital signature module is provided to enable the computer 10, under control of the 

10 certification request approval module, to generate a digital signature using the certification 

W authority's private key. 

Cil 

11 The encrypted private key and a decryption module are provided to enable the computer 1 0 

r i's 

t§ to determine the certification authority's private key. The certification authority's private key is 

W encrypted using an encryption key that is based on a one-way hash of the administrator's 

J 5 authenticating information. Accordingly, after the administrator has authenticated him or herself to 

p the authentication module, the decryption module can decrypt the certification authority's private key 

using a decryption key that is also based on the one-way hash of the authenticating information 

provided by the administrator to the authentication module. 

1 9 Operations performed in connection with a certificate generation session will be described 

20 in connection with the flow chart depicted in FIG. 2. To initiate a certificate generation session in 

2 1 connection with the computer 1 0, the administrator will initially insert the removable medium into 

22 the appropriate receptacle on the computer 1 0 for facilitating reading of the medium by the computer 

23 (step 101) and reset the computer (step 102). This may be accomplished in a number of ways, 

24 including actuation of a control button provided therefor on the computer, turning the computer's 

25 power off and on, or by any other conventional mechanism as will be appreciated by those skilled 

26 in the art. 
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1 After the computer has been reset, the computer's boot loader begins booting from the 

2 removable medium, in the process completely removing from the computer any operating software 

3 that may initially be present on the computer and replacing it with the operating system from the 

4 removable medium (step 103). After the operating system has been loaded it can automatically 

5 enable the computer 10 to load and begin processing the authentication module (step 104). 

6 Altematively, the operating system as loaded from the removable medium can enable the computer 

7 10 to display a command line, and the administrator can use the command line to provide input, 

8 using the operator input devices such as keyboard 12A and/or mouse 12B, to enable the computer 

9 to load and begin processing the authentication module. Other arrangements facilitating initiation 

1 0 of processing of the authentication module will be apparent to those skilled in the art. 
r "h 

tji After the computer 10 begins processing the authentication module, the authentication 

f I module enables the computer 10 to display a log-on screen or prompt line on the screen 14 of video 

l§ display device 13 (step 105). The administrator can then provide his or her identification indicia, 

fij 

which may include his or her name and/or other identifier, and authentication indicia, such as a 

15 password and the like, through the operator input devices, such as keyboard 12A and mouse 12B 

CS (step 106). Thereafter, the authentication module enables the computer to determine whether the 

Cil 

III authentication indicia conform to that provided earlier for the administrator' identification 

fl 

J I information (step 107). If the computer makes a negative determination in step 107, it may repeat 

1 1 steps 106 and 107 for a predetermined number of times to allow the administrator to provide the 

20 identification indicia and the correct authentication indicia (step 1 08). If the computer, while under 

21 control of the authentication module, determines that the administrator is unable to provide the 

22 correct authentication indicia that conforms to the identification indicia during the predetermined 

23 number of additional trials (step 109), the authentication module may exit, and not allow the 

24 administrator to continue the certificate generation session (step 1 1 0). In addition, the authentication 

25 module may enable the computer system 10 to erase critical portions of the removable medium, 

26 thereby ensuring that it cannot thereafter be used in connection with a computer to form a 

27 certification authority. 
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1 On the other hand, if the computer, while under control of the authentication module, makes 

2 a positive determination in step 107, or if it determines in step 109 that the administrator is able to 

3 provide the correct authentication indicia that conform to the identification indicia during at least one 

4 of the predetermined number of additional trials, the authentication module enables the computer 

5 to begin execution of the communication control module, the certification request verification 

6 module, the certification request edit module and the certification request approval module (step 

7 111). Initially, the communication control module enables the computer to request retrieval of 

8 certification requests over the network through the network port 15 (step 112). The certification 

9 requests that are to be processed may be stored in, for example, individual files in a predetermined 

1 0 storage location in, for example, a server provided in the network. Altematively, the communication 

11 control module may enable the computer to display a dialog box identifying the server and source 
i;i location of the files containing the respective certification requests. 

11 

fli| After the computer has received the files containing the certification requests under control 

ris 

§4 of the commxmication control module, it (that is, the computer) processes the files under control of 

1'5 the certification request verification module to verify that each contains a properly formatted 
certification request with no characters that are not allowed (step 113). This may be done in a 

[l;J "batch" manner, in which the files are processed all at once. In that case, the certification request 

%t verification module can, for example, mark each file that contains a properly formatted certification 

W request for later processing, and for others send notifications to the requesters indicating that the 

20 certification requests were rejected. Altematively, it may be done in a mode in which it processes 

21 each file containing a certification request when the administrator selects the file for further 

22 processing. 

23 Following step 1 1 3, the administrator makes use of the certification request display module 

24 to enable the computer 10 to display a list of certification requests that have been verified by the 

25 computer during processing under control of the certification request verification module (step 114) 

26 and selects one of the listed certification requests for processing (step 115). After the administrator 
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has selected one of the hsted certification requests in step 115, the certification request display 
module enables the computer to display information from the certification request file (step 1 16) so 
that the administrator can correct the information as necessary. If the administrator wishes to correct 
the information, he or she will enter update information using the keyboard 12 A or mouse 12B, and 
the certification request edit module will enable the update information to be displayed and stored 
in the certification request file (step 117). 

After the administrator is finished updating the certification request information and the 
information has been stored in the certification request file (reference step 1 17), the administrator 
can enable the certification request approval module to, in turn, enable the computer 10 to generate 
the certificate, if the certificate is to be approved, or notify the entity that requested the certificate 
that the certificate is to be rejected. In those operations, the administrator, using the keyboard 12A 
or mouse 12B, inputs indicia indicating either approval or rejection of the certificate (step 1 1 8). If 
the indicia indicate approval of the request, the certification request approval module is enabled to, 
in turn, enable the computer to generate the certificate (step 119). In that operation, the certification 
request approval module formats the certification request information from the certification request 
file, as updated by the administrator, as required for the certificate (step 120) and calls the digital 
signature module to generate a digital signature therefor from the information in the certificate and 
the private key (step 121). If the private key has not been previously decrypted, the digital signature 
module can also enable the decryption module to decrypt the encrypted private key. After the 
certificate has been generated, the certification request approval module enables the communication 
control module to transfer the generated certificate to the entity that requested it or to another 
publication location such as a directory service (step 122). 

Returning to step 1 1 8, if the administrator inputs indicia indicating rejection of the certificate, 
the certification request approval module generates a rejection notice for transmission to the entity 
that requested the certificate, which may include information as to why the certificate was rejected 
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1 (step 123). Thereafter, the certification request approval module enables the communication control 

2 module to transfer the generated rejection notice to the entity that requested the certificate (step 1 24). 

3 Following step 122 or 124, the certification request display module can enable the computer 

4 to remove the just-processed certification request fi"om the list displayed on the screen 14 (step 125). 

5 Thereafter, operations can return to step 1 1 5 to allow the administrator to select another certification 

6 request firom the list, if any. 

7 The above-described operations can be repeated for all of the certification requests in the list 

8 displayed on the screen 14 of video display device 13, or for any portion thereof as selected by the 

9 administrator during the certificate generation session. It will be appreciated that the administrator 

I © can terminate the certificate generation session at any time, in which case unprocessed certification 
|;I requests can be maintained on the computer 10, stored on the removable medium, or the like, for 

i ; !: 
■e ■ - 

IS processing during a subsequent certificate generation session, or retrieved again from its source 

13 location during a subsequent certificate generation session. 

in 

14 The invention provides a number of advantages. In particular, it provides a relatively 

s 

ill inexpensive certification authority arrangement for an organization, which provides that many 

r V•^: 

II computers can operate as certification authorities, avoiding the necessity of taking extraordinary 
security measures for the computer to be used as the certification authority, such as isolating the 
computer from the organization's network and maintaining it in a secure locked room. The invention 

19 provides that 

20 (i) security of the certification authority be maintained by physical possession of the 

21 removable medium which includes all of the program modules to be used by the computer in 

22 connection with the certification authority, and 

23 (ii) electronic security be maintained by providing very limited communication capabilities 

24 for the computer, and specifically excludes any capability that would allow remote control of 

25 resources of the computer being used as the certification authority. 
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1 Since the invention can be used with any computer whose boot loader is configured to initially 

2 completely replace any operating software that the computer may have resident thereon with the 

3 operating system fi^om the removable medium, the invention provides for extensive flexibility for 

4 the certification authority. 

5 It will be appreciated that a number of modifications may be made to the arrangement as 

6 described above. For example, although the arrangement has been described as including a 

7 communication control module for controlling limited communications over a network, it will be 

8 appreciated that an arrangement may be provided that does not include a communication control 

9 module. In that case, the administrator may download the certification request files to a mass storage 
1 0 subsystem on the computer, or on the removable medium, prior to the certificate generation session, 
I t and the certification request files may be retrieved therefrom during the session. In addition, the 

f i issued certificates or rejections can be buffered on the hard disk during the session, and transmitted 

11 

f 3 after the session has ended. 

fiJ 

E • ~ 

i!4 The computer that is used as the certification authority can be any kind of computer, 

15 including, for example, any personal computer, workstation, laptop, palm-top or the like. The 

1® computer must be dedicated to the certification authority fimction while it is being used as a 

J ? certification authority during a certificate generation session, but it can be used for other operations 

l:p at other times. In addition, although the computer has been described as providing a GUI for the 

r "s 

1 9 operator, it will be appreciated that the computer may instead or in addition provide a command line 

20 interface. 

21 It may be advantageous to have some portion of the arrangement that is described above as 

22 being stored on the removable medium, stored on a separate medium. For example, one or more of 

23 the digital signature module, encrypted private key and decryption module can be stored on a Smart 

24 Card or iButton, and a separate authentication may be required for that. Furthermore, the two (that 

25 is, the removable medium storing the other modules, and the Smart Card or iButton storing the 

26 digital signature module, encrypted private key and/or the decryption module) may be linked, so that 
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1 the one may not be used without a specific other. In that case, even if one of them is lost or the 

2 security otherwise compromised, they cannot be used in combination with another 

3 SmartCard/iButton or removable medium, respectively. The Smart Card or iButton can be provided 

4 with disabling software so that, if a predetermined number of authentication attempts are 

5 unsuccessful, the device will be disabled. 

6 Instead of using a removable medium, some or a significant portion of the modules can be 

7 stored on a programmable read-only memory ("PROM") comprising part of the computer, which 

8 may form part of, for example, the boot loader or other component. In that case, one or more of the 

9 digital signature module, encrypted private key and decryption module can be stored on a Smart 
10 Card or iButton, and a separate authentication may be required for that, as described above. 

It It will be appreciated that a system in accordance with the invention can be constructed in 

12 whole or in part fi:-om special purpose hardware or a general purpose computer system, or any 

13 combination thereof, any portion of which may be controlled by a suitable program. Any program 

14 may in whole or in part comprise part of or be stored on the system in a conventional manner, or it 

15 may in whole or in part be provided to the system over a network or other mechanism for 

r "s 

iS transferring information in a conventional manner. In addition, it will be appreciated that the system 

i . ^ 

If may be operated and/or otherwise controlled by means of information provided by an operator using 

1:| operator input elements (not shown) that may be connected directly to the system or that may 

19 transfer the information to the system over a network or other mechanism for transferring 

20 information in a conventional manner. 

2 1 The foregoing description has been limited to a specific embodiment of this invention. It will 

22 be apparent, however, that various variations and modifications may be made to the invention, with 

23 the attainment of some or all of the advantages of the invention. It is the object of the appended 

24 claims to cover these and such other variations and modifications as come within the true spirit and 

25 scope of the invention. 
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What is claimed as new and desired to be secured by Letters Patent of the United States is: 
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